This repository has been archived by the owner on Feb 4, 2022. It is now read-only.
HttpUrl path is not correctly encoded #56
Comments
johanjanssens
changed the title
johanjanssens
added a commit
that referenced
this issue
Apr 25, 2016
- Replace urldedod() with rawurldecode() - Replace urlencode() with rawurlencode() - Do not use custom encoding for url path
johanjanssens
added a commit
that referenced
this issue
Apr 25, 2016
Mustache default escaper already uses htmlspecialchars().
johanjanssens
added a commit
that referenced
this issue
Apr 28, 2016
johanjanssens
added a commit
that referenced
this issue
May 2, 2016
johanjanssens
changed the title
|
@ercanozkaya This is merged. I would consider merging this to Joomlatools Framework too as this can be considered a low prio security issue. |
johanjanssens
added a commit
that referenced
this issue
May 2, 2016
johanjanssens
added a commit
that referenced
this issue
May 20, 2016
|
Note: Needs to be merged to Joomlatools Framework 3.0 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
HttpUrl implements a custom path encoding mechanism which does not properly escape the path. Refactor HttpUrl and harden it using rawurlencode() instead of a urlencode() or custom path encoding.
Note: since PHP5.3 rawurlencode comforms to rfc3986. (more info)
The text was updated successfully, but these errors were encountered: